From owner-freebsd-current@FreeBSD.ORG Thu Apr 12 05:19:13 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 50F2216A403 for ; Thu, 12 Apr 2007 05:19:13 +0000 (UTC) (envelope-from ianf@clue.co.za) Received: from munchkin.clue.co.za (munchkin.clue.co.za [66.219.59.160]) by mx1.freebsd.org (Postfix) with ESMTP id 1941D13C43E for ; Thu, 12 Apr 2007 05:19:12 +0000 (UTC) (envelope-from ianf@clue.co.za) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=20070313; d=clue.co.za; h=Received:Received:Received:To:cc:From:Subject:In-reply-to:X-Attribution:Date:Message-Id; b=wnLsQOZvTYxNjz2Oc89NLSplC9uUURRlUQuibSatlfhe0ekwsZrpvIAbyUbdR+/tAq1BmEcjdpkof32wcQSIN7mtk4DjIm2tWQ3ki7kvUbpzLXQesDXjTPq210kOKV3m8IeuD9ZoPx6zAQxUbklNCSMkO/tk0ps9H9jhSBPS5dDmqtFtMxyHLb2Vwtn+vkbZpiKnsUIy/IFfwHEgHfelRpkC7bCGaC+DakXqn/RYqdXPDGR4NU80vcJM1KPD3JYH; Received: from uucp by munchkin.clue.co.za with local (Exim 4.66) (envelope-from ) id 1HbriC-0000fQ-1o; Thu, 12 Apr 2007 05:19:12 +0000 Received: from dsl-241-41-27.telkomadsl.co.za ([41.241.41.27] helo=clue.co.za) by urchin.clue.co.za with esmtpa (Exim 4.66) (envelope-from ) id 1Hbrh7-0007HK-Ty; Thu, 12 Apr 2007 05:18:06 +0000 Received: from localhost ([127.0.0.1]) by clue.co.za with esmtp (Exim 4.66 (FreeBSD)) (envelope-from ) id 1Hbrh5-0006QN-8f; Thu, 12 Apr 2007 07:18:03 +0200 To: Gavin Atkinson From: Ian FREISLICH In-reply-to: Your message of "Wed, 11 Apr 2007 15:28:51 +0100." <1176301731.22464.7.camel@buffy.york.ac.uk> X-Attribution: BOFH Date: Thu, 12 Apr 2007 07:18:02 +0200 Message-Id: Cc: freebsd-current@freebsd.org Subject: Re: [patch] move ipfw logging to after syslogd X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Apr 2007 05:19:13 -0000 Gavin Atkinson wrote: > On Wed, 2007-04-11 at 15:49 +0200, Ian FREISLICH wrote: > > Hi > > > > We have a problem that on our busy firewalls, a boot and shutdown > > can be delayed by up to 20 minutes by the kernel printing log > > messages for denied packets to the console. The problem is that > > most kernel activity appears to be suspended by outputting ipfw > > logged messages via the serial console (but not even the video > > console keeps up). The kernel doesn't even respond to a serial > > break. > > I wonder if a better fix is to ensure syslogd is started before bringing > up the network? That way, you won't need this, as before IP addresses > are configured, you shouldn't get hit by anything. Of course, this > would be an issue for when syslog is set to log remotely, unless that > laready has some "caching" mechanism to prevent messages being thrown > away. I'd be happy with that so long as the firewall script is included in the shutdown process and it sets net.inet.ip.fw.verbose=0 before syslogd is killed. > > > if [ -r "${firewall_script}" ]; then > > if [ -f /etc/rc.d/natd ] ; then > > /etc/rc.d/natd start > > fi > > - /bin/sh "${firewall_script}" > > + . "${firewall_script}" > > echo 'Firewall rules loaded.' > > elif [ "`ipfw list 65535`" = "65535 deny ip from any to any" ]; then > > echo 'Warning: kernel has firewall functionality, but' \ > > @@ -34,13 +40,6 @@ > > echo ' All ip services are disabled.' > > fi > > > > Be careful, it looks like this unintentionally backs out the 1.15 > change. Ooops. I did notice that and I thought I fixed it. On a side note, a colleague of mine noted that a side-effect of this change is that the kernel option IPFIREWALL_VERBOSE is rendered pretty much useless. It's pretty much useless anyway because it's a knob in rc.conf. Ian -- Ian Freislich